[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

asking for a vote

bryan bryan@conserver.com
Tue, 15 Oct 2002 09:03:05 -0700 (PDT)

if you have any opinion, please respond to me directly, instead of the list,
so i can count opinions.

basically, i'm looking at the client-server protocol and wondering if it's
really a good idea for folks to be able to do a 'console -i', 'console -w',
etc, without providing a username and password (if passwords are required
via the conserver.passwd file).  currently, anyone can connect to a conserver
process, retrieve information, and then possibly use it against you.  this
seems like a bad idea to me, and i was thinking conserver should not give out
*any* information without first going through the user verification process
(if required by the config files).

what do folks think?  is anyone out there using the fact that you can poll for
information without first authenticating?  i could see automated scripts
breaking, or perhaps other cases where it won't work.

the biggest issue i see is that access is restricted to certain consoles.  i
figured that if you could authenticate to *any* console, you could poll for
information (in the new model).